RE: very basic question about apache and tomcat

[Mead, Jen L]

Hey I wanted to thank everyone for their suggestions and input.  I just got my 
keytab file from the windows administrators yesterday and am ready to fiddle 
with tomcat and Kerberos on the unix side to start testing.  I like what Mark 
wrote below about using VMs to set things up, learn the environment and then 
tweak for AIX.  However, I don't have that option, I have one AIX box and that 
is it to test with.  I got a lot of great suggestions and think I can wrap my 
mind around it, yesterday I compiled a full version of Kerberos on my AIX 
server so I could test out kinit and make sure communication is flowing before 
I start setting up the tomcat server.  I think that most people are going to be 
coming in on Windows Explorer so I will set that up as well as Firefox.  I feel 
50/50 about getting it running but certainly more ready than I was before I got 
responses from this group.  Thanks again,
Jen

-Original Message-
From: Mark Thomas [mailto:ma...@apache.org] 
Sent: Thursday, September 20, 2012 3:05 PM
To: Tomcat Users List
Subject: RE: very basic question about apache and tomcat



"Mead, Jen L"  wrote:

>Thanks.  I am in the process of testing.  The earlier answer from Chris 
>suggested that I might need some additional modules / libraries.  I am 
>following it step by step and I do see the unix part.
>
>I have sent my windows domain people a request to create a Kerberos key 
>and an account I can test with.  However, they provided one on a box I 
>did not have root on and it was way too frustrating trying to get unix 
>admin in India to understand what to do.  I now have a sandbox 
>environment with root and am trying different things, it has not worked 
>so far.

Setting up this for the first time is rather like setting up SSL CLIENT-AUTH 
for the first time. There are lots of moving parts and if you get just one 
thing wrong the whole lot fails. The error messages may not be too helpful when 
this happens. Posting the full error message, associated stack trace and 
exactly what you did to get to that point well help us to help you. Without 
those specifics, there is little the folks here can do to help and so far you 
have not provided any details apart from "it has not worked".

You will find this a whole lot easier if you can start from a known working 
configuration and take little steps towards the configuration you want. There 
are so many things that can go wrong that going directly to the configuration 
you want is going to be very high risk.

I'd strongly recommend that you following something like the following approach:
Part one
1. Create a three local Windows VMs (domain controller, server, client) and do 
a clean install of the OS.
2. Snapshot the VMs.
3. Configure them as per the Tomcat docs so Windows auth works. The Tomcat docs 
should take you through this step by step (although they do not try and are not 
intended to teach Windows administration).
4. Make notes as you go so you can repeat this. If you spot any errors or 
omissions in the Tomcat docs, report them.
5. Snapshot the working configuration.
6. Revert to the clean VMs and make sure you can repeat the configuration.

Part two
Repeat part one but in your dev environment but use the domain controller from 
the dev environment rather than your VM (so you only have two VMs). You'll need 
co-operation from the domain admins but since you'll have your notes from part 
one you'll be able to tell them exactly what to do (which unfortunately it 
sounds like they need).

Part three
Repeat part one but with all machines in the dev environment rather than VMs.

Part 4
Repeat part one but with Tomcat on an AIX machine. By this point, you should be 
familiar enough with the process that any problems will be because of running 
on AIX. Again, report any issues here and we'll do what we can to help. My best 
guess at this point is that it will either just work or you'll need to install 
samba, add the machine to the domain and do some additional (currently unknown) 
configuration. I'm leaning towards the just work option since I can't see why 
the Tomcat server needs to be part of the domain if it has it's own service 
account. On the other hand, I'm not that familiar wth the details of the 
Kerberos protocol and it is a while since I looked at all of this so I could 
easily be wrong.

Part 5
Repeat part 4 on your live environment.

Thinking about this, you might want to move Tomcat to AIX as part 2 since at 
that point (assuming you have root access to an AIX dev machine) you'll still 
be in full control and a fair amount of tweaking may be required.

>Have you tried using this documentation? 

Actually no, I haven't tried using that documentation. On the other hand I 
implemented that feature. I figured out how to make built-in Windows 
authentication work (the JVM does the hard work) from the referen

Re: very basic question about apache and tomcat

[André Warnier]

Mead, Jen L wrote:

Yes, I did not find that useful.  It is very vague to say the least.  If I am 
missing something please let me know.  I want to use Built-in Tomcat support.



Simplify your life and have a look at Jespa (www.ioplex.com).  It is free for testing, and 
not expensive for production.  Download the Operator's Guide and read it.


It works all in Tomcat and doesn't require any other pieces than itself (*) - and a 
Windows domain environment of course.


There are several other ways, but I am not familiar with them.

Any type of web-based "Windows Integrated Authentication" (to give it one of it's many 
names) requires that the browser supports it. I can confirm that it works with IE and with 
Firefox.  I do not know about the others.



(*) Sorry, ooops, it does require a jar from Samba (jcifs.jar). The Operator Manual tells 
you that, and where to get it from.




Jen

-Original Message-
From: Mark Thomas [mailto:ma...@apache.org] 
Sent: Thursday, September 20, 2012 9:20 AM

To: Tomcat Users List
Subject: RE: very basic question about apache and tomcat

"Mead, Jen L"  wrote:


Hi Chris,

I met you at a PERL conference years and years ago along with a bunch 
of other people you met.  Anyways.  Exactly what I am trying to do is 
allow folks to use their web browser (I would like to stick with tomcat
7.0.27 on aix 6.1) from their windows workstation and authenticate 
against the windows domain.  I am hoping this can be accomplished 
without creating unix accounts.  The permissions for it, page access or 
run the tool would reside in the tomcat configuration side, but all 
authentification would be from the windows side.  If you can tell me 
how to do that I would be pretty happy.  I cannot find documentation on 
how to do it


Did you find this?

http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html

I haven't tested this when Tomcat is on a non-Windows platform. It is certainly 
possible for this to work although whether any other pieces (such as samba) are 
required and what their configuration might be I don't know. OTOH, it might 
just work.

I'll add looking at this to my to do list but it is a long list...

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: very basic question about apache and tomcat

[Mark H. Wood]

I've never tried with Tomcat, but it's not hard to get other Unix
applications to authenticate against the Kerberos component of ADS.  I
logon to Linux every day with ADS credentials, using Kerberos.

o  Browsers will need to be set up to use GSSAPI authentication with
   the affected site.  There's a plugin for Firefox that helps to
   manage the way it does this, where it's called Integrated
   Authentication for some reason.  I don't know how to manage that in
   IE since there isn't an IE for Linux. :-/

o  The server will need to offer GSSAPI authentication and know how to
   validate tickets.  A lot of that is standard JRE equipment.
   http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html
   looks like good information on gluing it into Tomcat.

If I were doing this, I'd first stop thinking of it as Windows or ADS
authentication and think in terms of GSSAPI/Kerberos.

Searching for "firefox kerberos authentication" showed me a lot of
hits that might help you on the client side.

-- 
Mark H. Wood, Lead System Programmer   mw...@iupui.edu
Asking whether markets are efficient is like asking whether people are smart.


pgp9LAw8gVbpY.pgp
Description: PGP signature

Re: Re: very basic question about apache and tomcat

[Terence M. Bandoian]

On 9/20/2012 4:24 PM, Mark Thomas wrote:

"Terence M. Bandoian"  wrote:


On 9/19/2012 6:38 PM, Jeff wrote:

I have a related question since we recently implemented

authentication to

AD via LDAP in our Tomcat WebApp but it currently prompts the user

for

every new session, even if they are hitting the site from their

windows

workstation that is already authenticated to the domain.

Is there a way to do it that detects the user's current AD session

and

eliminates the need to prompt them, preferably browser (Chrome/FF/IE)
independent?  If so, it would be great!

You might try Waffle.

Waffle is a Windows native solution. The OP wants Tomcat running on AIX. Waffle 
is not going to work. If moving Tomcat to Windows was an option, then Waffle 
would be a possibility (and that is made clear in Tomcat's docs - as are a 
number of other options).

Mark



Hi, Mark-

You're right.  I should have prefaced that with "If you're running on 
Windows".  However, a second person (see above) asked basically the same 
question as the OP and I'm not sure what platform they're on.  The 
built-in Java implementation sounds great if Tomcat 7 is being used.


-Terence Bandoian

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: very basic question about apache and tomcat

[Brett Delle Grazie]

On 20 September 2012 17:20, Mark Thomas  wrote:
> "Mead, Jen L"  wrote:
>
>>Hi Chris,
>>
>>I met you at a PERL conference years and years ago along with a bunch
>>of other people you met.  Anyways.  Exactly what I am trying to do is
>>allow folks to use their web browser (I would like to stick with tomcat
>>7.0.27 on aix 6.1) from their windows workstation and authenticate
>>against the windows domain.  I am hoping this can be accomplished
>>without creating unix accounts.  The permissions for it, page access or
>>run the tool would reside in the tomcat configuration side, but all
>>authentification would be from the windows side.  If you can tell me
>>how to do that I would be pretty happy.  I cannot find documentation on
>>how to do it
>
> Did you find this?
>
> http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html
>
> I haven't tested this when Tomcat is on a non-Windows platform. It is
> certainly possible for this to work although whether any other pieces
> (such as samba) are required and what their configuration might be I
> don't know. OTOH, it might just work.
>

Samba is one way, in that context the AIX box becomes a member of the
Windows AD.
If that isn't possible:
Another alternative is bi or uni-directional cross-realm trusts.
That's where there is a Unix Kerberos realm and the Windows AD realm
and there is a trust
either between each realm or in one direction only. Cross-realm keys
are quite easy to create
in the more recent versions of Windows Server (2008+)

In this situation, the authentication trust could be configured only
one way (i.e. Windows AD users
are trusted for authentication purposes to the AIX Tomcat service).

I'm a bit fuzzy on the details since I last looked at this several
years ago. From what I remember
the following is needed:
(a) cross-realm keys in one or both directions (i.e. resulting in one
or two sets of keys)
- getting this right on the Windows side was quite difficult due to
different encryption standards
in use, different 'versions' of keys etc. modern versions of Windows
Server do make this easier.
(b) a key on the AIX box representing the service (Tomcat) but in this
case the service key is for
the local Unix Kerberos realm, not the Windows AD realm
(c) A browser that permits Kerberos based authentication (e.g.
Firefox, or IE with the site
added to the trusted sites area).
(d) Patience, luck and lots of log perusal.

I've used this in a managed service environment but its complicated
and error prone to configure.

> I'll add looking at this to my to do list but it is a long list...
>
> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: very basic question about apache and tomcat

[Mark Thomas]

"Mead, Jen L"  wrote:

>Thanks.  I am in the process of testing.  The earlier answer from Chris
>suggested that I might need some additional modules / libraries.  I am
>following it step by step and I do see the unix part.
>
>I have sent my windows domain people a request to create a Kerberos key
>and an account I can test with.  However, they provided one on a box I
>did not have root on and it was way too frustrating trying to get unix
>admin in India to understand what to do.  I now have a sandbox
>environment with root and am trying different things, it has not worked
>so far.

Setting up this for the first time is rather like setting up SSL CLIENT-AUTH 
for the first time. There are lots of moving parts and if you get just one 
thing wrong the whole lot fails. The error messages may not be too helpful when 
this happens. Posting the full error message, associated stack trace and 
exactly what you did to get to that point well help us to help you. Without 
those specifics, there is little the folks here can do to help and so far you 
have not provided any details apart from "it has not worked".

You will find this a whole lot easier if you can start from a known working 
configuration and take little steps towards the configuration you want. There 
are so many things that can go wrong that going directly to the configuration 
you want is going to be very high risk.

I'd strongly recommend that you following something like the following approach:
Part one
1. Create a three local Windows VMs (domain controller, server, client) and do 
a clean install of the OS.
2. Snapshot the VMs.
3. Configure them as per the Tomcat docs so Windows auth works. The Tomcat docs 
should take you through this step by step (although they do not try and are not 
intended to teach Windows administration).
4. Make notes as you go so you can repeat this. If you spot any errors or 
omissions in the Tomcat docs, report them.
5. Snapshot the working configuration.
6. Revert to the clean VMs and make sure you can repeat the configuration.

Part two
Repeat part one but in your dev environment but use the domain controller from 
the dev environment rather than your VM (so you only have two VMs). You'll need 
co-operation from the domain admins but since you'll have your notes from part 
one you'll be able to tell them exactly what to do (which unfortunately it 
sounds like they need).

Part three
Repeat part one but with all machines in the dev environment rather than VMs.

Part 4
Repeat part one but with Tomcat on an AIX machine. By this point, you should be 
familiar enough with the process that any problems will be because of running 
on AIX. Again, report any issues here and we'll do what we can to help. My best 
guess at this point is that it will either just work or you'll need to install 
samba, add the machine to the domain and do some additional (currently unknown) 
configuration. I'm leaning towards the just work option since I can't see why 
the Tomcat server needs to be part of the domain if it has it's own service 
account. On the other hand, I'm not that familiar wth the details of the 
Kerberos protocol and it is a while since I looked at all of this so I could 
easily be wrong.

Part 5
Repeat part 4 on your live environment.

Thinking about this, you might want to move Tomcat to AIX as part 2 since at 
that point (assuming you have root access to an AIX dev machine) you'll still 
be in full control and a fair amount of tweaking may be required.

>Have you tried using this documentation? 

Actually no, I haven't tried using that documentation. On the other hand I 
implemented that feature. I figured out how to make built-in Windows 
authentication work (the JVM does the hard work) from the references linked in 
the documentation and then I implemented Tomcat's built-in support for Windows 
authentication and also wrote the documentation. And I have a working 
configuration in a series of VMs on the machine in front of me. The 
documentation very deliberately provides detailed step-by-step instructions 
that are known to work. If you find any errors or omissions let us know.

> If not then please don't
>comment on how easy it is and straight forward.  I am doing my best and
>have been in computing, unix in particular, for over 30yrs.

Given that intended tone is not something that comes across well in e-mail 
communication, your final paragraph reads as arrogant rather than the tone you 
intended (I'm assuming you weren't aiming for arrogance). That is unlikely to 
encourage anyone here to help. That is particularly unfortunate when the person 
you are directing your comments at implemented the feature you are trying to 
use and could be the person best placed to help you.

Mark

>
>Regards,
>Jen
>
>-----Original Message-----
>From: Mark Thomas [mailto:ma..

Re: very basic question about apache and tomcat

[Mark Thomas]

"Terence M. Bandoian"  wrote:

>On 9/19/2012 6:38 PM, Jeff wrote:
>> I have a related question since we recently implemented
>authentication to
>> AD via LDAP in our Tomcat WebApp but it currently prompts the user
>for
>> every new session, even if they are hitting the site from their
>windows
>> workstation that is already authenticated to the domain.
>>
>> Is there a way to do it that detects the user's current AD session
>and
>> eliminates the need to prompt them, preferably browser (Chrome/FF/IE)
>> independent?  If so, it would be great!
>
>You might try Waffle.

Waffle is a Windows native solution. The OP wants Tomcat running on AIX. Waffle 
is not going to work. If moving Tomcat to Windows was an option, then Waffle 
would be a possibility (and that is made clear in Tomcat's docs - as are a 
number of other options).

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: very basic question about apache and tomcat

[Terence M. Bandoian]

On 9/19/2012 6:38 PM, Jeff wrote:

I have a related question since we recently implemented authentication to
AD via LDAP in our Tomcat WebApp but it currently prompts the user for
every new session, even if they are hitting the site from their windows
workstation that is already authenticated to the domain.

Is there a way to do it that detects the user's current AD session and
eliminates the need to prompt them, preferably browser (Chrome/FF/IE)
independent?  If so, it would be great!


You might try Waffle.

-Terence Bandoian

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: very basic question about apache and tomcat

[Mead, Jen L]

Thanks.  I am in the process of testing.  The earlier answer from Chris 
suggested that I might need some additional modules / libraries.  I am 
following it step by step and I do see the unix part.

I have sent my windows domain people a request to create a Kerberos key and an 
account I can test with.  However, they provided one on a box I did not have 
root on and it was way too frustrating trying to get unix admin in India to 
understand what to do.  I now have a sandbox environment with root and am 
trying different things, it has not worked so far.

Have you tried using this documentation?  If not then please don't comment on 
how easy it is and straight forward.  I am doing my best and have been in 
computing, unix in particular, for over 30yrs.

Regards,
Jen

-Original Message-
From: Mark Thomas [mailto:ma...@apache.org] 
Sent: Thursday, September 20, 2012 10:09 AM
To: Tomcat Users List
Subject: RE: very basic question about apache and tomcat



"Mead, Jen L"  wrote:

>Yes, I did not find that useful.  It is very vague to say the least.

You are the one being vague. You are not being very forthcoming. That page 
provides detailed, step-by-step configuration instructions. As I said, the page 
assumes Tomcat is running on a Windows machine but that may be necessary for 
Windows authentication to work. I haven't tested it and performing that testing 
is at the end of a long to do list. There is nothing stopping you from testing 
this.
 
>If I am missing something please let me know.  I want to use Built-in 
>Tomcat support.

You appear to have missed the section entitled "built-in Tomcat support" which 
is an exact match for what you are looking for.

Mark


>
>Jen
>
>-Original Message-
>From: Mark Thomas [mailto:ma...@apache.org]
>Sent: Thursday, September 20, 2012 9:20 AM
>To: Tomcat Users List
>Subject: RE: very basic question about apache and tomcat
>
>"Mead, Jen L"  wrote:
>
>>Hi Chris,
>>
>>I met you at a PERL conference years and years ago along with a bunch 
>>of other people you met.  Anyways.  Exactly what I am trying to do is 
>>allow folks to use their web browser (I would like to stick with
>tomcat
>>7.0.27 on aix 6.1) from their windows workstation and authenticate 
>>against the windows domain.  I am hoping this can be accomplished 
>>without creating unix accounts.  The permissions for it, page access
>or
>>run the tool would reside in the tomcat configuration side, but all 
>>authentification would be from the windows side.  If you can tell me 
>>how to do that I would be pretty happy.  I cannot find documentation
>on
>>how to do it
>
>Did you find this?
>
>http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html
>
>I haven't tested this when Tomcat is on a non-Windows platform. It is 
>certainly possible for this to work although whether any other pieces 
>(such as samba) are required and what their configuration might be I 
>don't know. OTOH, it might just work.
>
>I'll add looking at this to my to do list but it is a long list...
>
>Mark
>
>-
>To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: very basic question about apache and tomcat

[Mark Thomas]

"Mead, Jen L"  wrote:

>Yes, I did not find that useful.  It is very vague to say the least.

You are the one being vague. You are not being very forthcoming. That page 
provides detailed, step-by-step configuration instructions. As I said, the page 
assumes Tomcat is running on a Windows machine but that may be necessary for 
Windows authentication to work. I haven't tested it and performing that testing 
is at the end of a long to do list. There is nothing stopping you from testing 
this.
 
>If I am missing something please let me know.  I want to use Built-in
>Tomcat support.

You appear to have missed the section entitled "built-in Tomcat support" which 
is an exact match for what you are looking for.

Mark


>
>Jen
>
>-Original Message-
>From: Mark Thomas [mailto:ma...@apache.org] 
>Sent: Thursday, September 20, 2012 9:20 AM
>To: Tomcat Users List
>Subject: RE: very basic question about apache and tomcat
>
>"Mead, Jen L"  wrote:
>
>>Hi Chris,
>>
>>I met you at a PERL conference years and years ago along with a bunch 
>>of other people you met.  Anyways.  Exactly what I am trying to do is 
>>allow folks to use their web browser (I would like to stick with
>tomcat
>>7.0.27 on aix 6.1) from their windows workstation and authenticate 
>>against the windows domain.  I am hoping this can be accomplished 
>>without creating unix accounts.  The permissions for it, page access
>or 
>>run the tool would reside in the tomcat configuration side, but all 
>>authentification would be from the windows side.  If you can tell me 
>>how to do that I would be pretty happy.  I cannot find documentation
>on 
>>how to do it
>
>Did you find this?
>
>http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html
>
>I haven't tested this when Tomcat is on a non-Windows platform. It is
>certainly possible for this to work although whether any other pieces
>(such as samba) are required and what their configuration might be I
>don't know. OTOH, it might just work.
>
>I'll add looking at this to my to do list but it is a long list...
>
>Mark
>
>-
>To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: very basic question about apache and tomcat

[Mead, Jen L]

Yes, I did not find that useful.  It is very vague to say the least.  If I am 
missing something please let me know.  I want to use Built-in Tomcat support.

Jen

-Original Message-
From: Mark Thomas [mailto:ma...@apache.org] 
Sent: Thursday, September 20, 2012 9:20 AM
To: Tomcat Users List
Subject: RE: very basic question about apache and tomcat

"Mead, Jen L"  wrote:

>Hi Chris,
>
>I met you at a PERL conference years and years ago along with a bunch 
>of other people you met.  Anyways.  Exactly what I am trying to do is 
>allow folks to use their web browser (I would like to stick with tomcat
>7.0.27 on aix 6.1) from their windows workstation and authenticate 
>against the windows domain.  I am hoping this can be accomplished 
>without creating unix accounts.  The permissions for it, page access or 
>run the tool would reside in the tomcat configuration side, but all 
>authentification would be from the windows side.  If you can tell me 
>how to do that I would be pretty happy.  I cannot find documentation on 
>how to do it

Did you find this?

http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html

I haven't tested this when Tomcat is on a non-Windows platform. It is certainly 
possible for this to work although whether any other pieces (such as samba) are 
required and what their configuration might be I don't know. OTOH, it might 
just work.

I'll add looking at this to my to do list but it is a long list...

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: very basic question about apache and tomcat

[Mark Thomas]

"Mead, Jen L"  wrote:

>Hi Chris,
>
>I met you at a PERL conference years and years ago along with a bunch
>of other people you met.  Anyways.  Exactly what I am trying to do is
>allow folks to use their web browser (I would like to stick with tomcat
>7.0.27 on aix 6.1) from their windows workstation and authenticate
>against the windows domain.  I am hoping this can be accomplished
>without creating unix accounts.  The permissions for it, page access or
>run the tool would reside in the tomcat configuration side, but all
>authentification would be from the windows side.  If you can tell me
>how to do that I would be pretty happy.  I cannot find documentation on
>how to do it

Did you find this?

http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html

I haven't tested this when Tomcat is on a non-Windows platform. It is
certainly possible for this to work although whether any other pieces
(such as samba) are required and what their configuration might be I
don't know. OTOH, it might just work.

I'll add looking at this to my to do list but it is a long list...

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: very basic question about apache and tomcat

[Mead, Jen L]

Hi Chris,

See responses below:

-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net] 
Sent: Thursday, September 20, 2012 8:50 AM
To: Tomcat Users List
Subject: Re: very basic question about apache and tomcat

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

-Jen,

On 9/20/12 11:19 AM, Mead, Jen L wrote:
> I met you at a PERL conference years and years ago along with a bunch 
> of other people you met.

-Unlikely... I've never been to a Perl conference.

-[OT NB: I've found out that I'm not the only Christopher Schultz in the world 
-- even in my ---own local region. I got pulled-over for speeding one time and 
was told that my license had been -suspended
-*and* revoked (I'm not sure how that's different than just being revoked, but 
what the hey). --Anyhow, turns out that the state I was living in used soundex 
codes for driver's license --numbers and another (apparently evil) 
Christopher Schultz and I had license numbers differing -only by one digit, so 
the cop had it all wrong. Fun ride.]

LOL, bummer. Yes you do have a "famous" name.

> Anyways.  Exactly what I am trying to do is allow folks to use their 
> web browser (I would like to stick with tomcat 7.0.27 on aix
> 6.1) from their windows workstation and authenticate against the 
> windows domain.

-Ok.

> I am hoping this can be accomplished without creating unix accounts.

-Mirroring AD in UNIX would be foolish. It wouldn't get you anywhere, anyway, 
since Tomcat -doesn't have a module to authenticate against the local UNIX 
environment, anyway.

> The permissions for it, page access or run the tool would reside in 
> the tomcat configuration side, but all authentication would be from 
> the windows side.

-So you want your clients to provide Kerberos tokens to Tomcat? Have you 
arranged for that kind -of thing?

- -chris

Yes I have to a point.  We have HP support and mostly it is in India and we 
don't direct access with them.  I opened a ticket but they are requesting that 
I tell them exactly how to do it.  I am working with them on that.  They are 
waiting for me to test from my AIX environment to iron out all those pieces.  I 
know they need to configure my server into their environment and maybe it will 
require a special user account.  If you have info on that that would be good.

Could you tell me which modules / libraries I need to download and install for 
tomcat to authenticate against the windows environment and how to tweak them?  
I am ready to dig into this.

Jen

-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBbO0QACgkQ9CaO5/Lv0PATtwCgg8Lqf2fu+NXSDHY6h+IKg8ag
rMwAnjH2bKM7P+DvmjDYQJ+tU/WyAwjw
=ylwm
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: very basic question about apache and tomcat

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Jen,

On 9/20/12 11:19 AM, Mead, Jen L wrote:
> I met you at a PERL conference years and years ago along with a
> bunch of other people you met.

Unlikely... I've never been to a Perl conference.

[OT NB: I've found out that I'm not the only Christopher Schultz in
the world -- even in my own local region. I got pulled-over for
speeding one time and was told that my license had been suspended
*and* revoked (I'm not sure how that's different than just being
revoked, but what the hey). Anyhow, turns out that the state I was
living in used soundex codes for driver's license numbers and another
(apparently evil) Christopher Schultz and I had license numbers
differing only by one digit, so the cop had it all wrong. Fun ride.]

> Anyways.  Exactly what I am trying to do is allow folks to use
> their web browser (I would like to stick with tomcat 7.0.27 on aix
> 6.1) from their windows workstation and authenticate against the
> windows domain.

Ok.

> I am hoping this can be accomplished without creating unix
> accounts.

Mirroring AD in UNIX would be foolish. It wouldn't get you anywhere,
anyway, since Tomcat doesn't have a module to authenticate against the
local UNIX environment, anyway.

> The permissions for it, page access or run the tool would reside in
> the tomcat configuration side, but all authentication would be from
> the windows side.

So you want your clients to provide Kerberos tokens to Tomcat? Have
you arranged for that kind of thing?

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBbO0QACgkQ9CaO5/Lv0PATtwCgg8Lqf2fu+NXSDHY6h+IKg8ag
rMwAnjH2bKM7P+DvmjDYQJ+tU/WyAwjw
=ylwm
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: very basic question about apache and tomcat

[Mead, Jen L]

Hi Chris,

I met you at a PERL conference years and years ago along with a bunch of other 
people you met.  Anyways.  Exactly what I am trying to do is allow folks to use 
their web browser (I would like to stick with tomcat 7.0.27 on aix 6.1) from 
their windows workstation and authenticate against the windows domain.  I am 
hoping this can be accomplished without creating unix accounts.  The 
permissions for it, page access or run the tool would reside in the tomcat 
configuration side, but all authentification would be from the windows side.  
If you can tell me how to do that I would be pretty happy.  I cannot find 
documentation on how to do it and I am not a java person nor have I touched 
this stuff in a very long time.  I was doing strictly unix admin work until a 
few months ago.  That doesn't mean I won't hack and experiment, I have a 
sandbox here at work that I can do anything on to get this configuration 
figured out.  Thanks in advance and happy to be working with you!

Jen

-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net] 
Sent: Wednesday, September 19, 2012 4:07 PM
To: Tomcat Users List
Subject: Re: very basic question about apache and tomcat

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Jen,

On 9/19/12 5:52 PM, Mead, Jen L wrote:
> That was very insightful.  All the documentation that I am looking 
> into specifies apache as the application.  Maybe, just maybe the 
> server.xml file will contain what I need to move forward.  The lack of 
> documentation for what I am trying to do is frustrating.  I am not 
> even sure I can do it without loading apache with or instead of 
> tomcat.  Thanks for the info.

Can you describe what you need to accomplish without specifically referring to 
Apache httpd or Apache Tomcat?

Something like:

"We have a Java web application that needs to authentication against Microsoft 
AD server, and there are no other moving parts required unless we need them to 
support this configuration."

The reason that I ask is that Tomcat (with some special support libraries and 
configuration) can authenticate directly against Microsoft AD and Apache httpd 
isn't necessary at all. If you /require/ Apache httpd to perform the 
authentication, then we can tell you how to do that, too.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBaUA4ACgkQ9CaO5/Lv0PBlrACcChzrMo5ZRki1yGdFhxY8H+tZ
6KMAn2AEND/wIIyFOoJDd1ZmfOwjHwsT
=javS
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: very basic question about apache and tomcat

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Jeff,

On 9/19/12 7:38 PM, Jeff wrote:
> I have a related question since we recently implemented
> authentication to AD via LDAP in our Tomcat WebApp but it currently
> prompts the user for every new session, even if they are hitting
> the site from their windows workstation that is already
> authenticated to the domain.
> 
> Is there a way to do it that detects the user's current AD session
> and eliminates the need to prompt them, preferably browser
> (Chrome/FF/IE) independent?  If so, it would be great!

I believe this is possible, but you need your browser to be complicit
by sending your Kerberos token(s). I have no idea how to do that, but
I believe others on the list (André? Warnier) have done such things.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBbJzoACgkQ9CaO5/Lv0PBk+wCfQgsPrw1+zbSv7KvtpyYeM5y5
X/0An2KDNsv+OXSoTI0blxpJFeDcUKvV
=DiiC
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: very basic question about apache and tomcat

[Thomas Rohde]

Am 19.09.2012 23:31, schrieb Mead, Jen L:

Hi Everybody,

Now I will show my real ignorance about what I know after NOT working with 
Apache or Tomcat for several years now.  I have been working on a project that 
allows our CGI web pages to authenticate users from their windows desktop 
against Windows AD and not requiring any kind of unix account.  I am slowly 
getting the information I need to move forward but information is just not out 
there to get.  I am just chipping away at it.

My basic question is: do I need to install apache as well as tomcat to have an 
httpd.conf file?  I have tomcat running on several AIX servers, 6.1 and 5.3, 
with tomcat 7.0.27 installed.  I was doing a simple search to find the 
httpd.conf file when I realized none of my servers have it installed.  When I 
try to find out which app creates it I get the answer apache (from google 
searches).  So I guess that tomcat is a subset of apache?  A virtual java app I 
suppose?  See I told you the questions were basic.  Yikes it is hard to 
understand as a newbie, especially when I can load tomcat and get web pages 
working in a few minutes.  LOL

Any help is appreciated in regard to helping me wrap my brain around this.  ARGH

Regards,
Jen

Jen L Mead | Sys Admin | ICC Operations | Con-way | Office 503-450-8641
SAFETY| LEADERSHIP | INTEGRITY | COMMITMENT | EXCELLENCE | Driven by Integrity





Hi Jen,

basic answer:

Apache HTTPD and Apache Tomcat have generally nothing in common. They 
are totally different.


The httpd.conf is the main configuration file for the Apache HTTPD 
Webserver. It comes with the installation of an Apache HTTPD Webserver 
and is located in /conf/httpd.conf. Tomcat neither 
generates nor reads this file.


Bye
Thomas

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: very basic question about apache and tomcat

[Jeff]

I have a related question since we recently implemented authentication to
AD via LDAP in our Tomcat WebApp but it currently prompts the user for
every new session, even if they are hitting the site from their windows
workstation that is already authenticated to the domain.

Is there a way to do it that detects the user's current AD session and
eliminates the need to prompt them, preferably browser (Chrome/FF/IE)
independent?  If so, it would be great!

On Wed, Sep 19, 2012 at 5:06 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Jen,
>
> On 9/19/12 5:52 PM, Mead, Jen L wrote:
> > That was very insightful.  All the documentation that I am looking
> > into specifies apache as the application.  Maybe, just maybe the
> > server.xml file will contain what I need to move forward.  The lack
> > of documentation for what I am trying to do is frustrating.  I am
> > not even sure I can do it without loading apache with or instead of
> > tomcat.  Thanks for the info.
>
> Can you describe what you need to accomplish without specifically
> referring to Apache httpd or Apache Tomcat?
>
> Something like:
>
> "We have a Java web application that needs to authentication against
> Microsoft AD server, and there are no other moving parts required
> unless we need them to support this configuration."
>
> The reason that I ask is that Tomcat (with some special support
> libraries and configuration) can authenticate directly against
> Microsoft AD and Apache httpd isn't necessary at all. If you /require/
> Apache httpd to perform the authentication, then we can tell you how
> to do that, too.
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
>
> iEYEARECAAYFAlBaUA4ACgkQ9CaO5/Lv0PBlrACcChzrMo5ZRki1yGdFhxY8H+tZ
> 6KMAn2AEND/wIIyFOoJDd1ZmfOwjHwsT
> =javS
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>


-- 
Jeff Vincent
predato...@gmail.com
See my LinkedIn profile at:
http://www.linkedin.com/in/rjeffreyvincent
I ♥ DropBox  !!

Re: very basic question about apache and tomcat

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Jen,

On 9/19/12 5:52 PM, Mead, Jen L wrote:
> That was very insightful.  All the documentation that I am looking
> into specifies apache as the application.  Maybe, just maybe the
> server.xml file will contain what I need to move forward.  The lack
> of documentation for what I am trying to do is frustrating.  I am
> not even sure I can do it without loading apache with or instead of
> tomcat.  Thanks for the info.

Can you describe what you need to accomplish without specifically
referring to Apache httpd or Apache Tomcat?

Something like:

"We have a Java web application that needs to authentication against
Microsoft AD server, and there are no other moving parts required
unless we need them to support this configuration."

The reason that I ask is that Tomcat (with some special support
libraries and configuration) can authenticate directly against
Microsoft AD and Apache httpd isn't necessary at all. If you /require/
Apache httpd to perform the authentication, then we can tell you how
to do that, too.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBaUA4ACgkQ9CaO5/Lv0PBlrACcChzrMo5ZRki1yGdFhxY8H+tZ
6KMAn2AEND/wIIyFOoJDd1ZmfOwjHwsT
=javS
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: very basic question about apache and tomcat

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

David,

On 9/19/12 5:45 PM, David A. Rush wrote:
> 
> On 2012-09-19 17:31, Mead, Jen L wrote:
>> My basic question is: do I need to install apache as well as
>> tomcat to have an httpd.conf file?  I have tomcat running on
>> several AIX servers, 6.1 and 5.3, with tomcat 7.0.27 installed.
>> I was doing a simple search to find the httpd.conf file when I
>> realized none of my servers have it installed.  When I try to
>> find out which app creates it I get the answer apache (from
>> google searches).  So I guess that tomcat is a subset of apache?
>> A virtual java app I suppose?  See I told you the questions were
>> basic.  Yikes it is hard to understand as a newbie, especially
>> when I can load tomcat and get web pages working in a few
>> minutes.  LOL
>> 
> Tomcat and HTTPD (Apache web server) are two different things,
> though often used together.  Both are projects of the Apache
> Software Foundation.
> 
> Tomcat is capable of running standalone.  It is not a subset of of
> the Apache HTTPD.  For various reasons many folks run Tomcat
> "behind" Apache HTTPD, but that isn't necessary.
> 
> There's overlap between the functionality of Tomcat and HTTPD.
> Whether you need just Tomcat, just HTTPD, or both, depends on what
> you want to do.
> 
> httpd.conf is the typical name of the primary HTTPD configuration
> file (although that may be different depending on who built the
> distribution you're using and on what kind of OS).
> 
> Tomcat uses server.xml as it's primary configuration file.

+1

David, great reply.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBaT4YACgkQ9CaO5/Lv0PD1dACgjOllONmS3IcsSrMHsp9di59X
h/IAn0Y0oHdocLVwC6rfgbeIxMiMufj9
=Ppae
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: very basic question about apache and tomcat

[Mead, Jen L]

That was very insightful.  All the documentation that I am looking into 
specifies apache as the application.  Maybe, just maybe the server.xml file 
will contain what I need to move forward.  The lack of documentation for what I 
am trying to do is frustrating.  I am not even sure I can do it without loading 
apache with or instead of tomcat.  Thanks for the info.
J

-Original Message-
From: David A. Rush [mailto:da...@rushtone.com] 
Sent: Wednesday, September 19, 2012 2:45 PM
To: users@tomcat.apache.org
Subject: Re: very basic question about apache and tomcat


On 2012-09-19 17:31, Mead, Jen L wrote:
> My basic question is: do I need to install apache as well as tomcat to 
> have an httpd.conf file?  I have tomcat running on several AIX 
> servers, 6.1 and 5.3, with tomcat 7.0.27 installed.  I was doing a 
> simple search to find the httpd.conf file when I realized none of my 
> servers have it installed.  When I try to find out which app creates 
> it I get the answer apache (from google searches).  So I guess that 
> tomcat is a subset of apache?  A virtual java app I suppose?  See I 
> told you the questions were basic.  Yikes it is hard to understand as 
> a newbie, especially when I can load tomcat and get web pages working 
> in a few minutes.  LOL
>
Tomcat and HTTPD (Apache web server) are two different things, though often 
used together.  Both are projects of the Apache Software Foundation.

Tomcat is capable of running standalone.  It is not a subset of of the Apache 
HTTPD.  For various reasons many folks run Tomcat "behind" Apache HTTPD, but 
that isn't necessary.

There's overlap between the functionality of Tomcat and HTTPD. Whether you need 
just Tomcat, just HTTPD, or both, depends on what you want to do.

httpd.conf is the typical name of the primary HTTPD configuration file 
(although that may be different depending on who built the distribution you're 
using and on what kind of OS).

Tomcat uses server.xml as it's primary configuration file.

David

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: very basic question about apache and tomcat

[David A. Rush]

On 2012-09-19 17:31, Mead, Jen L wrote:

My basic question is: do I need to install apache as well as tomcat to have an 
httpd.conf file?  I have tomcat running on several AIX servers, 6.1 and 5.3, 
with tomcat 7.0.27 installed.  I was doing a simple search to find the 
httpd.conf file when I realized none of my servers have it installed.  When I 
try to find out which app creates it I get the answer apache (from google 
searches).  So I guess that tomcat is a subset of apache?  A virtual java app I 
suppose?  See I told you the questions were basic.  Yikes it is hard to 
understand as a newbie, especially when I can load tomcat and get web pages 
working in a few minutes.  LOL

Tomcat and HTTPD (Apache web server) are two different things, though 
often used together.  Both are projects of the Apache Software Foundation.


Tomcat is capable of running standalone.  It is not a subset of of the 
Apache HTTPD.  For various reasons many folks run Tomcat "behind" Apache 
HTTPD, but that isn't necessary.


There's overlap between the functionality of Tomcat and HTTPD. Whether 
you need just Tomcat, just HTTPD, or both, depends on what you want to do.


httpd.conf is the typical name of the primary HTTPD configuration file 
(although that may be different depending on who built the distribution 
you're using and on what kind of OS).


Tomcat uses server.xml as it's primary configuration file.

David

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org